Commit Graph

3518 Commits

Author SHA1 Message Date
Andrew Keesler
a4fe76f6a9
test/integration: increase confidence that a cert has rotated
It looks like requests to our aggregated API service on GKE vacillate
between success and failure until they reach a converged successful
state. I think this has to do with our pods updating the API serving
cert at different times. If only one pod updates its serving cert to
the correct value, then it should respond with success. However, the
other pod would respond with failure. Depending on the load balancing
algorithm that GKE uses to send traffic to pods in a service, we could
end up with a success that we interpret as "all pods have rotated
their certs" when it really just means "at least one pod has rotated
its certs."

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-28 10:20:05 -04:00
Ryan Richard
9d7e073a9d Fix an assertion about an error message in an integration test 2020-08-27 17:50:46 -07:00
Ryan Richard
118ee7f9aa Merge branch 'self_test' into main 2020-08-27 17:26:29 -07:00
Ryan Richard
e0b5c3a146 Fix an assumption about GKE in an integration test 2020-08-27 17:18:48 -07:00
Ryan Richard
cbc80d5bc4 RetryOnConflict when updating CredentialIssuerConfig from outside any controller
- Controllers will automatically run again when there's an error,
  but when we want to update CredentialIssuerConfig from server.go
  we should be careful to retry on conflicts
- Add unit tests for `issuerconfig.CreateOrUpdateCredentialIssuerConfig()`
  which was covered by integration tests in previous commits, but not
  covered by units tests yet.
2020-08-27 17:11:10 -07:00
Ryan Richard
20a3208564 Add more subtitles to README.md 2020-08-27 15:11:38 -07:00
Ryan Richard
91ba39bd3b Merge branch 'main' into self_test 2020-08-27 15:02:49 -07:00
Ryan Richard
f6ea93e273 First draft of instructions to report security vulnerabilities 2020-08-27 15:02:11 -07:00
Ryan Richard
d728c926c1 Merge pull request #75 from suzerain-io/readme_edits
README doc updates
2020-08-27 14:53:41 -07:00
Ryan Richard
9ecc88a898
Merge pull request #75 from suzerain-io/readme_edits
README doc updates
2020-08-27 14:44:08 -07:00
Ryan Richard
18b000e324 Small readme changes 2020-08-27 14:43:16 -07:00
Ryan Richard
e6dd22ffb5 Merge branch 'main' into readme_edits 2020-08-27 14:29:11 -07:00
Andrew Keesler
92a6b7f4a4
Use same lifetime for serving cert and CA cert
So that operators won't look at the lifetime of the CA cert and be
like, "wtf, why does the serving cert have the lifetime that I
specified, but its CA cert is valid for 100 years".

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-27 15:59:47 -04:00
Matt Moyer
e39a38ecf2
Merge pull request #76 from mattmoyer/adjust-kube-versions
Update Kubernetes versions and adjust Dependabot config.
2020-08-27 14:12:43 -05:00
Matt Moyer
9d9b56073c Update Kubernetes versions.
- Upgrade from `1.19.0-rc.0` to the newly-release `1.19.0`.

- Downgrade from `1.18.6` to `1.18.2` to match some downstream consumers.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-27 13:06:05 -05:00
Matt Moyer
07bb2bb956 Simplify dependabot config now that we have fewer modules.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-27 12:16:09 -05:00
Matt Moyer
abe3f1ba4b
Merge pull request #73 from mattmoyer/native-client
Simplify modules and switch from low level client to a client using generated code.
2020-08-27 12:15:35 -05:00
Ryan Richard
1375df185d Doc updates 2020-08-27 10:14:03 -07:00
Matt Moyer
8f93fbb87b Make ./pkg/client into an internal package using the native k8s client.
This should simplify our build/test setup quite a bit, since it means we have only a single module (at the top level) with all hand-written code. I'll leave `module.sh` alone for now but we may be able to simplify that a bit more.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-27 11:48:18 -05:00
Matt Moyer
68893a1e15 Merge the ./test packages back into the main module.
We were using this at one point to control which tests ran with `go test ./...`, but now we're also using the `-short` flag to differentiate unit vs. integration tests.

Hopefully this will simplify things a bit.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-27 11:38:52 -05:00
Andrew Keesler
9440316c20
README.md: remove Pinni (for now)
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-27 11:49:31 -04:00
Andrew Keesler
f9554e0bde
feature-proposal.md: I need more sleep 2020-08-27 11:46:43 -04:00
Andrew Keesler
89f059ae03
Make feature proposal and bug report language more similar 2020-08-27 11:44:54 -04:00
Andrew Keesler
7360489d1b feature_proposal.md: add initial feature proposal template 2020-08-27 11:38:42 -04:00
Andrew Keesler
61b758450e
doc/contributing.md: update link to bug report template 2020-08-27 11:21:04 -04:00
Andrew Keesler
9539f29f94 bug_report.md: fix formatting and poor spelling choices 2020-08-27 11:17:55 -04:00
Andrew Keesler
6cc7bdf7d3
bug_report.md: make description more general and welcoming :) 2020-08-27 11:15:24 -04:00
Andrew Keesler
8f4a2f98d7 Update bug issue template 2020-08-27 11:13:24 -04:00
Andrew Keesler
8ddc1a1e92
internal/controller/issuerconfig: add missing invalid kubeconfig test?
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-27 10:43:13 -04:00
Andrew Keesler
d240796110
test: fix ci failure: "no Auth Provider found for name "gcp""
kubectl pulls these in in their main package...I wonder if we should do
the same for our main packages?

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-27 09:12:34 -04:00
Andrew Keesler
7502190135
Fix some copy issues in the docs 2020-08-27 08:39:57 -04:00
Andrew Keesler
aea3f0f90d
Merge pull request #74 from ankeesler/public-readme
First draft of public README (and neighboring docs)
2020-08-26 18:22:39 -04:00
Andrew Keesler
f66f7f14f5
First draft of public README (and neighboring docs)
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-26 18:19:35 -04:00
Ryan Richard
d8bcea88a7
Merge pull request #70 from suzerain-io/self_test
Self test feature
2020-08-26 14:26:59 -07:00
Ryan Richard
2629a9c42f Empty commit to trigger PR CI pipeline 2020-08-26 09:17:08 -07:00
Ryan Richard
90fe733f94 Empty commit to trigger PR CI pipeline 2020-08-26 08:49:44 -07:00
Ryan Richard
5ed97f7f9e Merge branch 'main' into self_test 2020-08-25 19:02:27 -07:00
Ryan Richard
80153f9a80 Allow app to start despite failing to borrow the cluster signing key
- Controller and aggregated API server are allowed to run
- Keep retrying to borrow the cluster signing key in case the failure
  to get it was caused by a transient failure
- The CredentialRequest endpoint will always return an authentication
  failure as long as the cluster signing key cannot be borrowed
- Update which integration tests are skipped to reflect what should
  and should not work based on the cluster's capability under this
  new behavior
- Move CreateOrUpdateCredentialIssuerConfig() and related methods
  to their own file
- Update the CredentialIssuerConfig's Status every time we try to
  refresh the cluster signing key
2020-08-25 18:22:53 -07:00
Andrew Keesler
4306599396
Fix linter errors 2020-08-25 10:40:59 -04:00
Ryan Richard
6e59596285 Upon pod startup, update the Status of CredentialIssuerConfig
- Indicate the success or failure of the cluster signing key strategy
- Also introduce the concept of "capabilities" of an integration test
  cluster to allow the integration tests to be run against clusters
  that do or don't allow the borrowing of the cluster signing key
- Tests that are not expected to pass on clusters that lack the
  borrowing of the signing key capability are now ignored by
  calling the new library.SkipUnlessClusterHasCapability test helper
- Rename library.Getenv to library.GetEnv
- Add copyrights where they were missing
2020-08-24 18:07:34 -07:00
Matt Moyer
c2e6a1408d
Remove old generated directories from dependabot. (#72)
These never worked quite right, so let's disable them for now: #51

We can probably come up with some better solution now with the new codegen scripts, but I'll leave that for later.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-24 16:20:34 -05:00
Matt Moyer
4e08866e87
Merge pull request #71 from mattmoyer/multi-version-codegen
Generate API/client code for several Kubernetes versions.
2020-08-24 16:12:31 -05:00
Matt Moyer
cbd6dd3356 Use a symlink instead of directly mounting into GOPATH.
This supports CI better, where the original input dir isn't in GOPATH.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-24 15:58:52 -05:00
Matt Moyer
eb05e7a138 Reverse the order of this diff so it makes more sense.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-24 15:46:51 -05:00
Matt Moyer
22f1ca24d9 Remove old generated code from ./kubernetes directory.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-24 15:03:55 -05:00
Matt Moyer
8b36f2e8ae Convert code to use the new generated packages.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-24 14:42:27 -05:00
Matt Moyer
34d13f71c2 Add newly generated code.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-24 14:32:07 -05:00
Matt Moyer
1aef2f07d3 Add new ./apis directory and codegen scripts.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-08-24 14:32:07 -05:00
Andrew Keesler
142e9a1583
internal/certauthority: backdate certs even further
We are seeing between 1 and 2 minutes of difference between the current time
reported in the API server pod and the pinniped pods on one of our testing
environments. Hopefully this change makes our tests pass again.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-08-24 15:01:07 -04:00
Andrew Keesler
ed8b1be178
Revert "test/library: try another cert rest config"
Didn't fix CI. I didn't think it would.

I have never seen the integration tests fail like this locally, so I
have to imagine the failure has something to do with the environment
on which we are testing.

This reverts commit ba2e2f509a.
2020-08-24 11:52:47 -04:00